Does your business need ISO?

Moody International explains how and why companies go for ISO certification

ISO9001 aids company development|~||~||~|ISO9001. It’s not a new concept, and it’s not a legal requirement. In fact, it’s been around in the UK for years and in the Gulf region for at least the last seven. But do companies here know anything about it?

ISO9001 (International Standards Organisation) 2000 is a quality management standard that companies can be certified for via a certification body. The concept was originally born in the UK from a military defence standard, DEF521. It emerged when big names such as British Nuclear Fuels, British Aerospace and the Ministry of Defence started requiring suppliers to have a quality management system as a condition of winning their business.

In 1988, suppliers began to be separately audited by accreditation authorities. Certification was carried out against British Standard 5750 (BS5750), the then accepted standard for independent third party assessment of suppliers’ quality systems. This provided a vehicle for suppliers to gain credibility in the eyes of potential clients. ISO9001 2000 is actually an amalgamation of three separate standards: ISO9001, 9002 and 9003. It is now the recognised standard, the international model to be qualified through.

“The popularity and success of the ISO9001 standard has been proven to so many companies globally, organisations look at it as a model to provide structure that will aid them in their development,” says Wayne Bamford, quality and certification manager at Moody International Certification, Dubai. “If a small company is using ISO, it helps its development into a medium organisation in a structured manner,” he adds.

The same applies to a medium-sized company wishing to become a larger organisation. Some companies do use the certification for marketing purposes, although it’s doubtful whether that generates business. Larger companies use ISO to help them gain control over their sprawling resources.

So how does ISO9001 2000 and a certification body like Moody assess companies? Initially, a company has to review whether it has the in-house capabilities to implement the system based on the requirements of the standard. If it doesn’t, Moody recommends it employs the services of a management consultant. The consultant will help it develop procedures and policies that fit against the requirements of the standard. At the end of that project, the company applies for certification.

Moody conducts a review of the procedures and policies that the company has developed with the consultant to see whether they meet the requirements of the standard. Moody then visits the company and looks for evidence to see whether the system and its procedures have actually been implemented. ISO9001 2000 has five main ‘areas’: quality management system, management responsibility, resources management, product realisation and measurement & analysis.

Certificates issued are valid for 3 years and each certificate is the property of the certified body. During the three years, there are checks. Every six months or so, Moody audits sections of the system. Then there’s a reassessment at the end of the three years to see if the certificate can be re-issued. It’s not just certified companies that are under surveillance. Moody must pass certain regulations before it has approval to offer certification. The ‘Big Brother’ to Moody is a European standard called EN45012.||**||Around 1,000 UAE companies are certified|~||~||~|“The key elements in the EN45012 standard are that Moody has the capability to audit a specific type of company,” says Bamford. “It cannot, for example, send a butcher or a baker to a steel manufacturer because they wouldn’t understand the [business] processes.”

So are there any loopholes within the system? Companies pay for Moody certification, so surely it’s in Moody’s interest to pass them. And can companies hide mistakes from auditors?

“Companies do pay independently for Moody’s services,” concedes Bamford. “However, if Moody produces a report where a) the auditor isn’t competent to do the job or b) Moody hasn’t got a complete report, then Moody will gain non-compliances from its regulator and they will invalidate that certificate. The regulators will make Moody select a new audit team and then go back to the company and reassess it,” he explains.

So the certification body won’t get away with it, and neither will a company trying to manipulate certification. A good auditor will be able to see where companies have cut any corners. “In a situation where a company isn’t maintaining the system, Moody raises what’s called minor and major non-conformities against the system,” says Bamford.

A company then has three months to address the issues. Moody will then re-visit that company after three months and verify the effectiveness of the corrective action. If the situation is not rectified, then Moody recommends withdrawal of the certificate. Moody requests the return of the certificate and tells a company to cease using the certification logo.

“We can actually take it off them as easily as issuing them a certificate,” says Bamford. “But it’s a very rare situation. Companies pay a lot of money for this and in fact, the consultancy costs are usually the larger portion of the whole project.”Approximately 90% of companies are going through first time. According to Bamford, this is because most of them have utilised the services of a management consultant. “If a company has used a management consultant and they still fail, then it’s usually down to lack of commitment from them in the first place, or they’ve had a poor selection of consultant,” says Bamford.

Whilst it may seem, however, that a large number of companies are certified, this is still an emerging market. MMI, a maker of instrumentation and calibration products, is one organisation certified by Moody.

After using an older revision for several years, MMI plans to implement ISO9001 2000 at renewal next year. It welcomes the new standard. “We are looking forward to implementing the ISO9001 2000 standard because with the old one, you could produce consistent rubbish,” says James Hay, engineering manager. “In the 2000 version, you have to prove that the company is producing a quality product or service.”

Around 1,000 companies have ISO9001 in the UAE, and about 200 are certified by Moody. In KSA, around 800 certificates have been issued.||**||